Facebook's Privacy Two-Step On Passwords, Employers

Facebook says sharing your password with a potential employer violates its rules. But will Facebook enforce this rule, when it still doesn't confirm user ages?

Is anyone surprised that it has come to this? Employers have started asking prospective employees for their Facebook passwords so they can learn what job applications won't tell them.

Facebook finds it distressing to hear about this and warns that the practice "undermines the privacy expectations and the security of both the user and the user's friends" and "potentially exposes the employer who seeks this access to unanticipated legal liability."

The company is urging Facebook users to resist such requests--easier said than done when refusal could mean a job offer denied--because password sharing represents a security risk and because sharing or soliciting passwords violates the company's Statement of Rights and Responsibilities.

If Facebook actually enforces its rules and takes legal action against nosy employers, it will be something of a shock, considering all people under 13 who have active Facebook accounts are in violation of Facebook rules.

Some 36% of more than 1,000 parents surveyed by Microsoft Research senior researcher Danah Boyd said their children joined Facebook before turning 13. And some 78% of parents think it is acceptable for their child to violate Facebook's rules. I can corroborate that research: My 12-year-old daughter complains she's the only one in her class who isn't on Facebook.

When Facebook users routinely flout Facebook's rules, is it any wonder employers don't take those rules very seriously?

Facebook says it takes privacy very seriously. But it doesn't take privacy seriously enough to really enforce its rules--it would cost a lot to verify users' ages and it would mean fewer users and less ad revenue.

Facebook doesn't take privacy seriously enough not collect data in the first place. It doesn't take privacy seriously enough to protect your data from Facebook: Its business model is predicated on data.

Privacy is when you have your data. When someone else has your data, you no longer have privacy. You've given your privacy away. If Facebook wanted you to have privacy, it wouldn't have taken it in the first place.

To re-purpose the trite tagline from Field of Dreams, if you gather personal data, they will come. It you store it, they will review it, demand it, or steal it.

Sen. Richard Blumenthal (D-Conn.) says he'll introduce a federal bill to make it illegal for employers to demand Facebook passwords from job applicants. He's obviously never applied for a job with the CIA--if you think scouring Facebook accounts is invasive, try having an intelligence agency interview your associates over the years. You can have all the privacy you want, until someone has reason to look behind the veil.

A law would be better than Facebook's widely ignored and sparingly enforced rules. But it would be addressing the symptom--curiosity--rather than the disease--sharing. No law will prevent people from compromising their futures by posting stupid or potentially embarrassing or socially damaging things online. The "post" button, like a diamond, is forever.

While a handful of employers may have been clumsy enough to publicly declare their intent to pry, many more businesses and individuals are discreetly googling away and finding out all sorts of things about job applicants, prospective tenants, would-be clients and loan-seekers, potential dates and roommates, next-door neighbors, and next-desk colleagues. And they may not share what they've discovered about your sharing. They'll simply, silently deny you.

If you take your privacy very seriously, watch what you say online, because declarations from others about how seriously they take your privacy won't save you.

The Enterprise 2.0 Conference brings together industry thought leaders to explore the latest innovations in enterprise social software, analytics, and big data tools and technologies. Learn how your business can harness these tools to improve internal business processes and create operational efficiencies. It happens in Boston, June 18-21. Register today!

Published: 2015-03-03Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename.

Published: 2015-03-03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue in customer-controlled software. Notes: none.

How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.